Identify Endpoints with Critical Logged-On Users and Shares with Everyone Permission

By /

2025-02-13

This KQL query is designed to identify security risks on endpoints by detecting critical users logged into devices and shared folders with permissions set to “Everyone”. This combination can expose systems to unauthorized access and pivoting attacks.

KQL Query:

[kql]
let CriticalUsers = datatable(User: string, CriticalityLevel: int)
[
“Admin1”, 1,
“Admin2”, 1,
“User1”, 0
];
let LoggedOnDevices = datatable(Device: string, User: string)
[
“Device1”, “Admin1”,
“Device2”, “Admin2”,
“Device3”, “User1”
];
let SharedFolders = datatable(Device: string, ShareName: string, Permission: string)
[
“Device1”, “Share1”, “Everyone”,
“Device2”, “Share2”, “Everyone”,
“Device3”, “Share3”, “SpecificUser”
];
CriticalUsers
| where CriticalityLevel == 1
| join kind=inner (LoggedOnDevices) on User
| join kind=inner (SharedFolders) on Device
| where Permission == “Everyone”
| project Device, User, ShareName, Permission
[/kql]

Explanation:

  1. Critical Users: The query starts by defining a table of users with their criticality levels.
  2. Logged-On Devices: It then identifies devices where these critical users are logged in.
  3. Shared Folders: Finally, it checks for shared folders on these devices with permissions set to “Everyone”.

Practice Commands:

  • Linux: Use `netstat` to check open shares:
    netstat -tuln | grep 445
  • Windows: Use `net share` to list shared folders:
    [cmd]
    net share
    [/cmd]

What Undercode Say:

In cybersecurity, identifying and mitigating risks associated with shared resources is crucial. This KQL query provides a powerful way to detect endpoints with critical users and improperly configured shared folders. By leveraging such queries, organizations can proactively address vulnerabilities and reduce the attack surface. Additionally, integrating these findings with tools like Microsoft Sentinel or Defender XDR can enhance threat detection and response capabilities. Always ensure that shared resources follow the principle of least privilege and are regularly audited. For further reading on KQL and Microsoft Security, visit KQL Documentation and Microsoft Security Blog.

Remember, security is a continuous process, and tools like KQL are essential for maintaining a robust defense posture. Regularly update your queries and scripts to adapt to evolving threats. Use Linux commands like `chmod` and `chown` to manage permissions effectively, and on Windows, leverage PowerShell scripts to automate security checks. Stay vigilant and keep your systems secure!

References:

Hackers Feeds, Undercode AIFeatured Image

Related Posts:

Scroll to Top